Data Processing Adendum


This Data Processing Agreement ("Agreement") entered into by and between Foundation LMS LLC. ("Foundation LMS" or "Us") and you ("Client" or "You"), is incorporated into and supplements our Terms of Use and Privacy Policy when Data Protection Laws apply to the processing of Student Data or Client Data (as defined below).

When using the Foundation LMS Platform (as defined in Foundation LMS' Terms of Use), a Client may upload, submit, or otherwise provide content to the Foundation LMS Platform ("Client Content"). The Client is the owner of their Client Content, and the sole Controller of any personal data included in their Client Content ("Client Data"). Foundation LMS processes Client Data on behalf of the Client at the Client's direction. Foundation LMS is a Processor, as defined in this Agreement and under applicable law, of Client Content and Client Data.

To connect Clients and Students and enable Clients to provide services to their Students, Foundation LMS provides Clients with access to a limited set of personal data of Students enrolled in their services ("Student Data"), as specified in our Privacy Policy. Foundation LMS and Clients may each use Student Data for their own business purposes, at all times subject to the terms of this Agreement, our Terms of Use, and our Privacy Policy. Foundation LMS and Clients are each independent Controllers, as defined in this Agreement and under applicable law, of Student Data collected by Foundation LMS that is accessed by or transferred to Clients.

Terms used but not defined in this Agreement can be found in our Terms of Use. For the avoidance of doubt, this Agreement comprises this Data Processing Agreement, any appendices to it, and the Standard Contractual Clauses (where applicable, and as defined herein).


Definitions

“California Consumer Privacy Act” or “CCPA” means the California Consumer Privacy Act of 2018, as may be amended from time to time.

"Controller" means the entity determining the purpose and the manner in which Personal Information is processed.

"Processor" means an entity that processes Personal Information on behalf of a Controller.

"Data Protection Laws" means all data protection laws and regulations applicable to the processing of Client Data and Student Data, including, without limitation, the EU Data Protection Law and the CCPA.

"EU Data Protection Law" means all data protection laws and regulations applicable to the European Union, the European Economic Area ("EEA"), Switzerland, and the United Kingdom ("UK"), including (i) Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation) ("GDPR"); (ii) Directive 2002/58/EC concerning the processing of personal data and the protection of privacy in the electronic communications sector; (iii) applicable national legislation implementing the GDPR and Directive 2002/58/EC; and (iii) with respect of the UK, any applicable national legislation that replaces the GDPR or any other law relating to data and privacy as a consequence of the UK leaving the European Union.

“Personal Data” means any information, including opinions, relating to an identified or identifiable natural person and includes similarly defined terms in Data Protection Laws, including, but not limited to, the definition of “personal information” in the CCPA.

"Personal Data Breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, consumer personal data transmitted, stored or otherwise processed.

"Standard Contractual Clauses" means the COMMISSION IMPLEMENTING DECISION on standard contractual clauses between controllers and processors under Article 28 (7) of Regulation (EU) 2016/679 and Article 29 (7) of Regulation (EU) 2018/1725, as may be amended from time to time by the European Commission.

"Sensitive Data" means (i) social security number, passport number, driver's license number, or similar identifier (or any portion thereof); (ii) credit or debit card number (other than the truncated (last four digits) of a credit or debit card); (iii) employment, financial, genetic, biometric or health information; (iv) racial, ethnic, political or religious affiliation, trade union membership, or information about sexual life or sexual orientation; (v) account passwords; or (vi) other information that falls within the definition of "special categories of data" under applicable Data Protection Laws.

"Sub-Processor" means any entity engaged by Foundation LMS to provide processing services in furtherance of Foundation LMS' processing of Client Data.

The terms "data subject", and "processing" shall have the meaning given to them under Data Protection Laws, or if not defined thereunder, the GDPR, and "process", "processes" and "processed" shall be interpreted accordingly.

  1. Relationship between the Parties.
    1. The parties acknowledge and agree that Client is the Controller and Foundation LMS is a Processor acting on behalf of Client with respect to Client Data and Student Data collected directly by the Client, as further described in Schedule A of this Agreement.
    2. The parties acknowledge and agree that Foundation LMS and Client each act as an independent Controller with respect to their particular processing of Student Data that is collected by Foundation LMS and accessed by or transferred to the Client, as further described in Schedule B of this Agreement. For the avoidance of doubt, Foundation LMS and Client are at all times independent Controllers, not joint Controllers, of Student Data.
  2. Client Obligations as a Controller of Student Data.
    1. Client shall (i) comply with all applicable laws, including but not limited to Data Protection Laws, in its use of the Foundation LMS Platform and its own processing of Student Data, (ii) ensure that it has, and will continue to have, the right to transfer, or provide access to, Student Data to Foundation LMS for processing in accordance with our Terms of Use and this Agreement, and (iii) be solely responsible for the accuracy, quality, and legality of Student Data and the means by which Client acquired Student Data.
    2. Client Instructions. Client appoints Foundation LMS to process Student Data on behalf of, and in accordance with, Client's documented instructions (i) as set forth in our Terms of Use and this Agreement; (ii) as necessary to comply with applicable law; and (iii) as otherwise agreed in writing by the parties. The parties agree that our Terms of Use and this Agreement constitute the Client's documented instructions to Foundation LMS regarding the processing of Student Data, and any processing outside the scope of these instructions shall require prior written agreement between the parties. Client will ensure that Client's documented instructions relating to Foundation LMS' processing of Student Data will not cause Foundation LMS to violate any applicable laws, including Data Protection Laws.
    3. Sensitive Data Prohibition. Client acknowledges that the Foundation LMS Platform is not intended for the processing of Sensitive Data and agrees that it will not provide (or cause to be provided) any Sensitive Data to Foundation LMS for processing under this Agreement and Foundation LMS Terms of Use. Foundation LMS will have no liability whatsoever for Sensitive Data, whether in connection with a Personal Data Breach or otherwise. For the avoidance of doubt, this Agreement will not apply to Sensitive Data. Should any Sensitive Data be transferred or uploaded to the Foundation LMS Platform by the Client, the Client shall immediately delete such information. Client shall communicate this prohibition to Students as appropriate and applicable.
  3. Foundation LMS' Obligations as Processor of Client Data.
    1. Foundation LMS shall process Client Data in accordance with applicable Data Protection Laws and consistent with our Terms of Use, Privacy Policy and this Agreement. Foundation LMS shall only process Client Data in accordance with the Client's documented instructions, as outlined in Section 2.2.
    2. Details of Data Processing.

      (a) Subject Matter: The subject matter of the Processing under this DPA is the Client Personal Data and Student Personal Data.

      (b) Frequency and duration: Notwithstanding expiration or termination of the Agreement, Foundation LMS will Process the Client Personal Data continuously and until deletion of all Client Personal Data as described in this DPA.

      (c) Nature of the Processing and Purposes of the Data Transfer and Further Processing: Foundation LMS provides an open online content creation platform and additional services and tools to allow Clients to offer courses and other services to their Students. Clients may upload, submit, or otherwise provide Client Content to the Foundation LMS Platform in connection with their use of Foundation LMS Services.

      Foundation LMS will process any personal data that is included in Client Content ("Client Data") only in accordance with the Client's documented instructions, including to (i) provide Foundation LMS Services, in accordance with our Terms of Use; (ii) to comply with any other reasonable instructions provided by Client that are consistent with our Terms of Use; and (iii) to comply with any applicable law.

      (d) Categories of Data Subjects: The type of data subjects will depend on the nature of the Client Content. The type of data subjects may include Students who enroll in the Client’s content, other visitors and participants in the Client Content, as well as Client and other third-parties.

    3. Foundation LMS shall notify the Client if it becomes aware of, or reasonably believes that, a documented instruction from the Client infringes upon Data Protection Laws.
    4. Confidentiality. Foundation LMS shall ensure that its employees, authorized agents, and any Sub-Processors authorized to process Client Data have agreed to comply with confidentiality obligations with respect to Client Data.
    5. Assistance to Client. Foundation LMS shall, taking into account the nature of the processing and the information available to Foundation LMS, provide reasonable assistance to Client to enable Client to comply with its obligations under applicable Data Protection Laws. Notwithstanding the foregoing, Client agrees that it will not cause Foundation LMS to process any personal data that presents a high risk to the rights and freedoms of data subjects.
    6. Sub-Processors.
      1. Client hereby provides a general authorization to Foundation LMS to engage Sub-processors for the processing of Client Data. See Appendix II for a list of Sub-processors that Client has authorized to process Client Data on its website. Client consents to Foundation LMS engaging additional or replacement Sub-processors to process Client Data pursuant to this Agreement, provided that Foundation LMS provides the Client with its intent to engage a new or replacement Sub-processor. Foundation LMS will provide its intent by updating the list of Sub-Processors, which shall contain a mechanism for Client to subscribe to notifications of new or replaced Sub-processors. Client shall, without undue delay, object to any changes with regards to added or replaced Sub-processors. The Client understands and accepts that such objection may result in Foundation LMS not being able to fulfill its obligations under our Terms of Use to the extent such obligations are related to the relevant Sub-processor.
      2. Prior to the relevant Sub-Processor carrying out any processing activities in respect of Client Data, Foundation LMS shall enter into an agreement with the Sub-Processor containing data protection obligations that provide at least the same level of protection for Client Data as those under this Agreement.
    7. Deletion on Termination. Upon termination or expiration of this Agreement, Foundation LMS shall (at the Client's election) return or delete all Client Data in its possession or control, except that this requirement shall not apply to the extent Foundation LMS is required to retain some or all of the Client Data to comply with its legal obligations, or to Client Data it has archived on backup systems, which Foundation LMS shall protect from any further processing and eventually delete in accordance with Foundation LMS' data retention policies, except to the extent required by applicable law.
      1. Client acknowledges and agrees that Foundation LMS will fulfill its obligations to return Client Data under this section by providing Client the opportunity to download and export Client Content out of the Foundation LMS Platform.
  4. Data Subject Requests.
    1. Client Data. As part of the Foundation LMS Platform, Foundation LMS provides the Client with a number of self-service features, including the ability to modify, delete, and restrict access to Client Content, that Client may use to assist in complying with its obligations under Data Protection Laws with respect to responding to requests from data subjects regarding Client Data.
    2. Student Data. Each party shall respond to data subject requests received by it concerning the processing of applicable Student Data promptly and within the timeframes required by Data Protection Laws. In the event that Client receives any data subject requests regarding Student Data, Client will promptly (and in any event within three business days) notify Foundation LMS and provide Foundation LMS with a copy of the request. To the extent that Foundation LMS is a Controller of the Student Data that is the subject of such request, Foundation LMS will respond directly to the Student.
    3. Foundation LMS shall, taking into account the nature of the processing, provide reasonable assistance to Client to enable Client to comply with its data protection obligations with respect to data subject requests.
  5. Security and Compliance Rights.
    1. Security Measures. Taking into account the state of technical developments and the nature of processing, Foundation LMS undertakes to establish and maintain appropriate technical and organizational measures in order to protect Client Data against accidental, unauthorized, or unlawful destruction, loss, alteration, disclosure, or access, in accordance with Foundation LMS' security standards described in Appendix I.
    2. Personal Data Breaches. We will notify you without undue delay after we become aware of any Personal Data Breach and will provide timely information relating to the Personal Data Breach as it becomes known or reasonably requested by you. At your request, we will promptly provide you with such reasonable assistance as necessary to enable you to notify relevant Personal Data Breaches to competent authorities and/or affected Data Subjects, if you are required to do so under Data Protection Laws.
    3. Compliance Obligations. In order to ensure compliance with the applicable Data Protection Laws, Foundation LMS shall make available to the Client information necessary to demonstrate compliance with the legal obligations related to the processing of Client Data by Foundation LMS on behalf of the Client.
    4. Foundation LMS shall respond to all reasonable requests for information made by Client to confirm Foundation LMS' compliance with this Agreement upon Client's written request to privacy@FoundationLMS.com.
    5. Upon written request, Foundation LMS shall supply (subject to confidentiality protections) a summary copy of its most current audit report(s) ("Audit Report") to Client, so that Client can verify Foundation LMS' compliance with the audit standards against which it has been assessed.
    6. Should an audit be requested under applicable Data Privacy Laws to assess Foundation LMS' compliance with the terms of this Agreement, the parties shall select an accredited independent third-party audit firm that is mutually agreeable to both parties. Client shall be responsible for all costs, fees, and expenses related to such audit. The scope of the audit shall be limited to Foundation LMS' compliance with Data Privacy Laws as applied under this Agreement. Notwithstanding the foregoing, the audit shall occur during regular business hours, with reasonable advance notice to Foundation LMS, and subject to confidentiality protections. Client may not audit Foundation LMS more than once annually.
  6. International Transfers.
    1. The Client acknowledges and agrees that Foundation LMS may transfer and process personal data in and to servers and databases located in the United States and anywhere else in the world where Foundation LMS, its affiliates, or its Sub-Processors maintain their servers, provided that Foundation LMS shall comply with the provisions of applicable Data Protection Laws relating to the transfer.
    2. To the extent that Foundation LMS transfers Client Data protected by the European Data Protection Law, Foundation LMS and Client agree to abide by and process Client Data in compliance with the Standard Contractual Clauses. When the Client is a controller (as defined in GDPR), the Controller-to-Controller Clauses will apply; when the Client is a processor (as defined in GDPR), the controller-to-processor clauses will apply. Where Foundation LMS acts as a Processor and Client is located in the EEA or Switzerland, Client agrees to execute appropriate Controller to Processor Standard Contractual Clauses. Where Foundation LMS acts as a Processor and Client is located in the UK, Client agrees to execute UK-specific Standard Contractual Clauses.
    3. The Client acknowledges and agrees that Foundation LMS shall be entitled to enter into Standard Contractual Clauses with any Sub-processor on behalf of the Client.
  7. Limitation of Liability.
    1. Each party and each of their Affiliates' liability, taken in aggregate, arising out of or related to this DPA (including any other DPAs between the parties) and the Standard Contractual Clauses, where applicable, whether in contract, tort or under any other theory of liability, will be subject to the limitations and exclusions of liability set out in the 'Limitation of Liability' section of the Terms of Use and any reference in such section to the liability of a party means aggregate liability of that party and all of its Affiliates under the Agreement (including this DPA). For the avoidance of doubt, if Foundation LMS is not a party to the Agreement, the ‘Limitation of Liability’ section of the Terms of Use will apply as between you and Foundation LMS, and in such respect any references to Foundation LMS, ‘we’, ‘us’ or ‘our’ will include both Foundation LMS and the Foundation LMS entity that is a party to the Agreement. In no event will either party's liability be limited with respect to any individual's data protection rights under this DPA (including any other DPAs between the parties and the Standard Contractual Clauses, where applicable) or otherwise.
  8. Miscellaneous.
    1. Superseding Agreement. Unless otherwise agreed to between the parties, Client acknowledges and agrees this Agreement shall replace any existing data processing agreement or similar document that the parties may have previously entered into in connection with the Foundation LMS Platform.
    2. Severability. If any one or more of the provisions contained in this Agreement is, for any reason, held to be invalid, illegal, or unenforceable in any respect, that invalidity, illegality, or unenforceability will not affect any other provisions of this Agreement, but this Agreement will be construed as if those invalid, illegal, or unenforceable provisions had never been contained in it, unless the deletion of those provisions would result in such a material change so as to cause completion of the transactions contemplated by this Agreement to be unreasonable.
    3. Assignments. No one other than a party to this Agreement its successors and permitted assignees (as determined in our Terms of Use) shall have any right to enforce any of its terms.
    4. Conflicts. Except as provided by this DPA, the Terms of Service remains unchanged and in full force and effect. If there is any conflict between this DPA and the Terms of Service, this DPA shall prevail to the extent of that conflict in connection with the Processing of Client Data.
    5. Updates. Foundation LMS may update the terms of this Agreement from time to time, at its sole discretion, provided Foundation LMS gives Client reasonable advance notice of the update. Any additional amendments, change or alteration of this Agreement must be made in writing and duly signed by both Parties in order to become valid and effective.
    6. Notices. Unless otherwise specified in this Agreement, each party giving notice or other communication required or permitted under this Agreement shall use one of the following methods of delivery: personal delivery, mail (registered or certified mail, postage prepaid, return-receipt requested), nationally recognized overnight courier (fees prepaid), or email.
    7. Headings. The descriptive headings of the sections and subsections of this Agreement are for convenience only, and do not affect this Agreement, construction or interpretation.
    8. Gender/Plural. Whenever such wording may appear in this Agreement, words in the singular shall mean and include the plural and vice versa and words in the feminine shall mean and include the masculine and vice versa.
    9. Notwithstanding anything to the contrary in the Terms of Service or this DPA, each Party’s and all of its Affiliates’ liability, taken together in the aggregate, arising out of or relating to this DPA and any other data protection agreements in connection with the Agreement (if any), shall be subject to any aggregate limitations on liability set out in the Terms of Service. Without limiting the Parties’ obligations under the Terms of Service, each Party agrees that any regulatory penalties incurred by one Party (the “Incurring Party”) in relation to the Client Data that arise as a result of, or in connection with, the other Party’s failure to comply with its obligations under this DPA or any applicable Data Protection Laws shall count toward and reduce the Incurring Party’s liability under the Agreement as if it were liability to the other Party under the Terms of Service.
    10. In no event shall this DPA benefit or create any right or cause of action on behalf of a third party (including a Third-Party Controller), but without prejudice to the rights or remedies available to Data Subjects under Data Protection Laws or this DPA.
    11. Jurisdiction. This DPA will be governed by and construed in accordance with governing law and jurisdiction provisions in the Terms of Service.
  9. Government & Law Enforcement Inquiries.
    1. If Foundation LMS receives a demand to retain, disclose, or otherwise Process Client Data from law enforcement or any other government and/or public authority (“Third-Party Demand”), then Foundation LMS shall attempt to redirect the Third-Party Demand to Client. Client agrees that Foundation LMS can provide information to such third-party to the extent reasonably necessary to redirect the Third-Party Demand to Client. If Foundation LMS cannot redirect the Third-Party Demand to Client, then Foundation LMS shall, to the extent legally permitted to do so, provide Client reasonable notice of the Third-Party Demand as promptly as feasible under the circumstances to allow Client to seek a protective order or other appropriate remedy.
  10. Data Processor Contact Points

    Data exporter(s): Client
    - Name:
    - Address:
    - Contact person’s name, position and contact details:
    - Activities relevant to the data transferred under these Clauses: The data exporter receives the Services from the data importer in accordance with the Data Processing Agreement.
    - Signature and date:
    - Role (controller/processor): Controller Data importer(s):
    - Name: Foundation LMS
    - Address: Foundation LMS, Inc. 365 West Passaic Street, Rochelle Park, NJ 07662, USA
    - Contact person’s name, position and contact details:
    - Foundation LMS Privacy Department, privacy@FoundationLMS.com
    - Activities relevant to the data transferred under these Clauses: The data importer provides the Services to the data exporter in accordance with the Data Processing Agreement.
    - Signature and date: This agreement is deemed to be signed and executed by Foundation LMS as of date on which the Client/Data Importer begins using Foundation LMS’ services.
    - Role (controller/processor): Processor

APPENDIX I: Security Measures

Foundation LMS cares deeply about the security and privacy of the data you entrust us with, and we understand that our information security practices are important to you. We endeavor to meet all applicable legal requirements for security measures, including GDPR and CCPA.

While we can’t reveal all the details of our practices, we feel it’s important to be as transparent as possible without giving a playbook to the people we’re protecting ourselves against. Below you will find some general information about how we implement our security and privacy safeguards.

Foundation LMS will maintain administrative, physical, and technical safeguards for protection of the security, confidentiality and integrity of the data uploaded to the Platform, as described in this DPA, or otherwise made reasonably available by Foundation LMS. The security practices described in this Appendix I are currently observed by Foundation LMS. Although it reserves the right to modify or update these practices, Foundation LMS will not materially decrease the overall security of the Platform during a subscription term.

Physical access controls: Foundation LMS is hosted in Microsoft Azure, a multi-tenant environment. The physical and environmental security controls are audited for SOC 2 Type II compliance, among other certifications.

System access controls: Access controls within the Platform are designed to permit role-based access control using least privileged access principals.

Data access controls: Client and Student Data is stored in multi-tenant storage systems accessible to Client via only application user interfaces and application programming interfaces. Clients are not allowed direct access to the underlying application infrastructure. The authorization model in our Platform is designed to ensure that only the appropriately assigned individuals can access relevant features, views, and customization options. Authorization to data sets is performed through validating the user’s permissions against the attributes associated with each data set.

Transmission controls: In-transit: We require HTTPS encryption (also referred to as SSL or TLS) on all login interfaces and for free on every Client Portal hosted on the Foundation LMS Platform. Our HTTPS implementation uses industry standard algorithms and certificates.

Password encryption: We store user passwords following policies that follow industry standard practices for security. We have implemented technologies to ensure that stored password data is encrypted.

Input controls: We log information regarding system behavior, system authentication, and other application requests. Utilizing Azure Threat Detection, we are able to monitor and be responsive to malicious, unintended, or anomalous activities. We also maintain a record of security incidents. Any suspected or confirmed security incident is investigated by Foundation LMS personnel, who then identify appropriate steps to resolve the incident and minimize damage or unauthorized disclosure (if any).

Data backups. By hosting the Platform in Azure, we are able to ensure redundancy and fail-over protections, including geo-redundancy. All databases are backed up and maintained using industry standard methods.

APPENDIX II – LIST OF SUB-PROCESSORS

Foundation LMS uses Sub-processors to perform various functions associated with the processing of Client Content. The table below identifies the Sub-processors Foundation LMS uses and provides a brief description of the service(s) each Sub-processor provides for Foundation LMS.

Third Party Sub-Processor Purpose
Microsoft Azure Web hosting, data warehouse, data backup, DNS and CDN services
Mailchimp Email marketing, Client custom integration
Brevo Email delivery and analytics
Stripe Payment processing service provider
Google Analytics Data analytics
MongoDB Database