Last Updated: October 1, 2023
This Data Processing Addendum ("DPA") forms part of the Master Services Agreement and Order Form (“Agreement”) between Newsela and the Customer (individually, a “Party,” and collectively, the “Parties”) identified on the applicable Order Form. The term of this DPA shall follow the term of the Agreement. Capitalized terms not defined herein shall have the meaning as set forth in the Agreement.
In the course of providing the Services to Customer pursuant to the Agreement, Newsela may process Personal Data on behalf of Customer. The Parties agree to comply with the following provisions with respect to any Personal Data and/or Customer Data submitted by or on behalf of Customer to Newsela in connection with the Services.
1.1 Unless otherwise defined herein, capitalized terms and expressions used in this DPA shall have the following meaning:
1.1.1 "Applicable Data Protection Laws" the data protection laws of applicable U.S., and global data protection laws including but not limited to EU Data Protection Laws, UK GDPR, the Family Educational Rights and Privacy Act (“FERPA”) Children's Online Privacy Protection Act (“COPPA”), California Consumer Privacy Act and its subsequent amendments (“CCPA”), Canadian provincial Freedom of Information and Protection of Privacy laws, the British Columbia Personal Information Protection Act, the Alberta Personal Information Protection Act, and the Quebec Act (“Canadian Privacy Laws”);
1.1.2 "Customer Data" means any Personal Data, student data, and/or business data processed by Newsela on Customer's behalf pursuant to or in connection with the Agreement and the DPA, and as defined by Applicable Data Protection Laws;
1.1.3 “Customer SCCs” means (i) where the EU GDPR applies, the contractual clauses annexes the contractual clauses annexed to the European Commission's Implementing Decision 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council; and (ii) where the UK GDPR applies, standard data protection clauses adopted pursuant to or permitted under Article 46 of the UK GDPR located at https://newsela.com/about/scc/. Please note, Customer SCCs are primarily entered into with Customers based outside the U.S., and in the EU or UK.
1.1.4 "EU Data Protection Laws" means EU Directive 95/46/EC, as transposed into domestic legislation of each Member State and as amended, replaced or superseded from time to time; the European Union General Data Protection Regulation 2016/679 (“EU GDPR”) and laws implementing or supplementing the EU GDPR;
1.1.5 “Personal Data” shall have the same meaning as defined and recognized under Applicable Data Protection Laws;
1.1.6 "Subprocessor" means any person appointed by or on behalf of Newsela to process Personal Data on behalf of Customer in connection with the DPA;
1.1.7 “Third Country” means a country outside the European Economic Area not recognized by the European Commission as providing an adequate level of protection for personal data (as described in the EU GDPR); and
1.1.8 “UK GDPR” means as defined in Section 3 of the Data Protection Act 2018.
1.2 If you are a Customer for whom the EU GDPR and/or the UK GDPR qualify as Applicable Data Protection Laws, please note that the terms "Commission," "Controller," "Data Subject," "Member State," and "Supervisory Authority" shall have the same meaning as in the EU GDPR or UK GDPR, and their cognate terms shall be construed accordingly.
2.1 Roles of the Parties. For purposes of this DPA, the Parties acknowledge and agree, when applicable, with the following:
2.1.1 To the extent that this DPA is entered into by a Customer based in the EU or UK, or a Customer for whom the EU GDPR or the UK GDPR qualify as Applicable Data Protection Laws, you, the Customer, are the Data Controller and Newsela is a Data Processor as defined by EU Data Protection Laws or UK GDPR.
2.1.2 To the extent that this DPA is entered into by a Customer based in the US, Newsela is a “school official” under FERPA and has a legitimate educational interest in personally identifiable information from education records received from the Customer pursuant to the DPA. For purposes of the Agreement and this DPA, Newsela: (a) provides a service or function for which Customer would otherwise use employees; (b) is under the direct control of the Customer with respect to the use and maintenance of education records; and (3) is subject to the requirements of FERPA governing the use and redisclosure of personally identifiable information from the education records received from Customer; and
2.1.3 Newsela is a “Service Provider,” “Third Party” or “Operator” as used in Applicable Data Protection Laws.
2.2 Permitted Uses. Newsela provides digital educational software or services, including cloud-based services, for the digital storage, management, retrieval, and use of Customer Data. Newsela will not process Customer Data other than in accordance with Customer’s instructions per the Agreement. Customer permits Newsela to process Customer Data to provide Newsela’s products, services and related technical support as stated in the Agreement and Newsela’s Privacy Policy.
2.3 Compliance with Laws. The Parties agree to comply with all Applicable Data Protection Laws, rules and regulations in the performance of this DPA. Nothing in this DPA may be construed to allow either party to maintain, use, disclose, or share Customer Data in a manner not allowed under the Applicable Data Protection Laws.
2.4 Details of Data Processing.
2.4.1 Subject matter. The subject matter of the data processing under this DPA is Customer Data.
2.4.2 Duration. As stated in the Agreement.
2.4.3 Purpose. The purpose is to provide Customers with Products agreed to under the Agreement.
2.4.4 Nature of the processing. Providing Product(s) described in the Agreement and this DPA.
2.4.5 Type of Customer Data. Customer Data uploaded to the Services under Customer’s Newsela accounts.
2.4.6 Categories of data subjects. The data subjects include Customer’s Authorized Users and end users.
2.5 Ownership. All Customer Data transmitted to Newsela pursuant to the Agreement and DPA is and will continue to be the property of and under the control of Customer. Customer acknowledges and agrees that it has the legal authority and consent to disclose, share, and transfer all Customer Data and User Data to Newsela for the purposes agreed to under the Agreement and this DPA. Newsela further acknowledges and agrees that all copies of Customer Data transmitted to the Customer, including any modifications or additions or any portion thereof from any source, are subject to the provisions of this DPA in the same manner as the original Customer Data. The Parties agree that as between them, all rights, including all intellectual property rights in and to Customer Data contemplated per the Agreement and DPA, shall remain the exclusive property of the Customer. Customer grants to Newsela a non-exclusive, royalty-free, worldwide license to use, transmit, distribute, modify, reproduce, display and store Customer Data transferred under the Agreement or this DPA solely for the purposes permitted by Customer.
2.6 No Re-Identification. If Newsela receives de-identified Customer Data, or de-identifies Customer Data from which identifying information has been removed, aggregated, and/or anonymized (“De-identified Data”), Newsela agrees to make no attempt to re-identify De-identified Data. De-Identified Data may be used by Newsela for purposes permitted under Applicable Data Protection Laws. Specifically, Newsela may use De-identified Data for the following purposes: (1) assisting Customer or other governmental agencies in conducting research and other studies; (2) developing and updating Newsela’s services and products, including educational sites, applications, and experimental features; and (3) adaptive learning and customized student learning. Newsela's use of De-Identified Data shall survive termination of this DPA or any request by Customer to return or destroy Customer Data. Except for Subprocessors, Newsela agrees not to transfer De-identified Data to any party unless (a) that party agrees in writing not to re-identify or attempt to re-identify the data, and (b) prior written notice has been given to the Customer who has provided prior written consent for such transfer.
2.7 Analytics. In addition to the permitted uses described in Section 2.2, Newsela is permitted to use Customer Data for the purpose of: (i) generating analyses, metrics and reports based on Customer Data in whole or in part (“Analytics”); (ii) providing Analytics and reports based on such Analytics to Customer and others as permitted by this DPA and Applicable Data Protection Laws; and (iii) maintaining, supporting, evaluating, improving, and developing educational sites, services or applications.
Newsela shall enter into written agreements with all Subprocessors performing functions for Newsela in order for Newsela to provide the Products pursuant to the Agreement, whereby the Subprocessors agree to protect Customer Data in a manner no less stringent than the terms of this DPA. Upon request, Newsela agrees to share with you the names of subcontractors that have direct access to Customer Data.
Taking into account the state of the art, the costs of implementation, the nature, scope, context, and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons; Newsela shall, in relation to the Customer Data, implement appropriate technical and organizational measures to ensure a level of security appropriate to that risk, including, as required under Applicable Data Protection Laws.
5.1 Data Subject Requests. Newsela will promptly notify Customer if it receives a request from an end user (“Data Subject Request”). Newsela shall not respond to any such Data Subject Request without Customer’s prior written consent. Newsela shall comply with any reasonable request by Customer, or any request mandated by Applicable Data Protection Laws and regulations applicable to Customer and made by Customer, to amend, block or delete Customer Data.
5.2 Data Subject Request Assistance. Newsela shall give prompt and reasonable attention, co-operation and assistance to Customer in order to assist Customer in complying with any Data Subject Request and comply with reasonable instructions and timetables of Customer in relation to the provision of details of Customer Data to the relevant individual.
5.3 Complaints or Requests. Newsela shall notify Customer promptly upon receipt of any complaint or request relating to: (a) Customer obligations under Applicable Data Protection Laws; (b) Personal Data; or (c) any breach of this DPA, and shall provide reasonable and prompt cooperation and assistance in relation to such complaint, request or breach reasonably requested by Customer.
6.1 Security Incident. In the event of an unauthorized release, disclosure or acquisition of Customer Data that compromises the security, confidentiality or integrity of the Data maintained by Newsela (“Security Incident”), Newsela shall provide notification to the Customer within seventy-two (72) hours of confirmation of the incident, unless notification within this time limit would disrupt investigation of the incident by law enforcement. In such an event, notification shall be made within a reasonable time after the Security Incident.
6.2 Data Breach Notification. The security breach notification described above shall include, at a minimum, the following information to the extent known by Newsela and as it becomes available:
The name and contact information of the individual reporting a breach subject to this section;
A list of the types of personal information that were or are reasonably believed to have been the subject of the Security Incident;
If the information is possible to determine at the time the notice is provided, then either (1) the date of the Security Incident, (2) the estimated date of the Security Incident, or (3) the date range within which the Security Incident occurred. The notification shall also include the date of the notice;
Whether the notification was delayed as a result of a law enforcement investigation, if that information is possible to determine at the time the notice is provided; and
A general description of the Security Incident, if that information is possible to determine at the time the notice is provided.
6.3 Security Laws. Newsela agrees to adhere to all requirements under the Applicable Data Privacy Laws with respect to a Security Incident related to Customer Data, including, when appropriate or required, the required responsibilities and procedures for notification and mitigation of any such Security Incident. In the event of a Security Incident originating from the Customer’s use of the Products, Newsela shall cooperate with the Customer to the extent necessary to expeditiously secure Customer Data.
Upon termination of this DPA for whatever reason, or upon written request from Customer at any time, Newsela shall cease to use or process any Customer Data received from or on behalf of Customer under this DPA, and return to Customer, or destroy (at Customer's direction), any Customer Data in Newsela's possession or control in accordance with Newsela’s data retention policy (unless Applicable Data Protection Laws require the continued storage of such Customer Data).
Customers subject to the EU GDPR and UK GDPR please note that the Customer is the Controller and Newsela is the Processor. The Customer SCCs (Controller-to-Processor Clauses) located here will apply and govern the relationship between the Parties directly and as it relates to onward transfer, to any Third Country.
As stated above, To the extent that this DPA is entered into by a Customer based in the EU or UK, or a Customer for whom the EU GDPR and/or the UK GDPR qualify as Applicable Data Protection Laws, the Customer, is the Data Controller and Newsela is a Data Processor as defined by EU Data Protection Laws or UK GDPR.
No more than once a year, or following a Security Incident, upon receipt of a written request from the Customer with at least ten (10) business days’ notice and upon the execution of an appropriate confidentiality agreement, Newsela will allow the Customer to audit the security and privacy measures that are in place to ensure protection of Customer Personal Data or any portion thereof as it pertains to the delivery of Products to the Customer.
The Parties agree that all indemnification obligations and liabilities between them under this DPA is as stated in the Agreement between the Parties (including as to limitation of liability).
11.1 Confidentiality. Each Party must keep confidential any Confidential Information it receives about the other Party and its business in connection with this DPAand must not use or disclose that Confidential Information without the prior written consent of the other Party except to the extent that: (a) disclosure is required by Applicable Data Protection Laws, or; (b) the relevant information is already in the public domain. Each Party agrees to comply with all confidentiality obligations under section 6 of the Agreement.
11.2 Notices. All notices and communications given under this DPA must be in writing and will be sent in accordance with Section 11 of the Agreement.
11.3 Governing Law. Unless agreed to otherwise, this DPA and all claims relating to this DPA shall be interpreted, construed and enforced in accordance with the laws of the State of New York without giving effect to its conflicts of laws rules.