This Data Processing Agreement ("DPA") is entered into by and between Breakout Learning Inc. ("Processor") and the Purchaser ("Controller") as part of the Sales Agreement. This DPA applies where Breakout Learning processes personal data on behalf of the Purchaser in relation to the products and services provided under the Sales Agreement. The provisions of this DPA are designed to ensure compliance with applicable data protection laws, including the General Data Protection Regulation (EU GDPR), the UK General Data Protection Regulation (UK GDPR), the California Consumer Privacy Act (CCPA), and other relevant laws.

1. Definitions

• “Personal Data”: any information relating to an identified or identifiable natural person, as defined under applicable data protection laws.
• “Processing”: any operation performed on Personal Data, such as collection, storage, retrieval, use, disclosure, and deletion.
• “Data Subject”: the individual to whom the Personal Data relates.
• “Controller”: the Purchaser, who determines the purposes and means of processing the Personal Data.
• “Processor”: Breakout Learning, who processes Personal Data on behalf of the Controller.
• “Subprocessor”: any third party engaged by Breakout Learning to process Personal Data.
• “Affiliate”: any entity that directly or indirectly controls, is controlled by, or is under common control with a party, where control means ownership of more than fifty percent (50%) of the equity or voting rights.
• “Data Protection Laws”: any applicable laws and regulations in relevant jurisdictions relating to the use or processing of Personal Data, including the EU GDPR, UK GDPR, CCPA, the Swiss FADP, FERPA, and India’s DPDP Act.

2. Purpose of Data Processing

Breakout Learning will process Personal Data solely for the purpose of providing the products and services described in the Sales Agreement, in accordance with the Controller’s documented instructions and applicable Data Protection Laws.

3. Data Protection Impact Assessments (DPIA)

Breakout Learning will assist the Purchaser in conducting DPIAs where required, including assessing high-risk processing or new technologies. If risks cannot be mitigated, Breakout Learning will notify the Purchaser so they may determine next steps.

4. Data Processing Instructions

Breakout Learning will process Personal Data only in accordance with the Purchaser’s documented instructions, unless otherwise required by law.

5. Subprocessors

• Breakout Learning may engage subprocessors to support delivery of the Services.
• A current list of authorized subprocessors is available upon request and will be kept up to date on Breakout Learning’s Trust Page.
• Breakout Learning will provide the Purchaser with at least 30 days’ advance notice before authorizing any new subprocessor. The Purchaser may object on reasonable data protection grounds within this period.
• Breakout Learning will ensure subprocessors are bound by data protection obligations no less protective than those in this DPA.

6. Security Measures

Breakout Learning will implement appropriate technical and organizational measures to ensure a level of security appropriate to risk, including but not limited to:

• Encryption of Personal Data in transit and at rest.
• Access controls to limit access to authorized personnel.
• Regular backups and tested recovery procedures.
• Monitoring and anomaly detection.
• Independent SOC 2 Type 2 audits covering security and processing integrity.

7. International Transfers of Personal Data

• Personal Data is hosted in the United States on Google Cloud Platform (GCP).
• Transfers from the EEA and UK are governed by the EU Standard Contractual Clauses (SCCs) and the UK Addendum.
• Breakout Learning will ensure appropriate safeguards for all international transfers.

8. Data Subject Rights

Breakout Learning will assist the Purchaser in responding to Data Subject rights requests under applicable law (access, rectification, erasure, restriction, portability, objection, withdrawal of consent).

9. Liability

Each party shall be liable for any breach of this DPA caused by its failure to comply with applicable data protection laws. Breakout Learning’s liability for breaches related to the processing of Personal Data is limited to the amount paid by the Purchaser for the related services.

10. Confidentiality

Breakout Learning will ensure all personnel authorized to process Personal Data are bound by confidentiality obligations consistent with this DPA and Data Protection Laws.

11. Audits and Inspections

The Purchaser may request audits or certifications to verify compliance. Breakout Learning will cooperate with reasonable audits conducted during normal business hours. Documentation is available via Breakout Learning’s Trust Page (https://trust.breakoutlearning.com).

12. Data Retention and Deletion

Breakout Learning will retain Personal Data only as long as necessary for the purposes outlined in the Sales Agreement or as required by law. Upon termination, Personal Data will be deleted or returned unless further retention is legally required.

13. Types of Personal Data and Processing Activities

Categories of Personal Data Processed:

• Email addresses and associated identifiers (name, username, device ID).
• Platform usage data (login/logout, time spent, technical logs).
• Transcripts of discussions (text only).
• Educational records, where provided by institutional customers under FERPA.

Processing Activities:

• Collection during registration and platform use.
• Storage in encrypted databases hosted on GCP (USA).
• Use for account management, service delivery, customer support, and platform analytics.
• Sharing only with authorized subprocessors as necessary.
• Retention/Deletion aligned with Section 13.

14. Regional and Sector-Specific Compliance

Breakout Learning will notify the Controller of any Personal Data Breach without undue delay and provide sufficient information to enable the Controller to meet its legal obligations. Where applicable, Breakout Learning will also comply with the specific breach notification requirements outlined below.

14.1 United States (FERPA, CCPA/CPRA, Nevada)

• FERPA: Where Breakout Learning processes education records, it acts as a “school official” with a legitimate educational interest. Breakout Learning will promptly notify the applicable School of any unauthorized disclosure or access to FERPA-protected data and will cooperate with the School in meeting its obligations under FERPA.
• CCPA/CPRA: Breakout Learning acts as a “service provider.” Personal Data will not be sold, shared, or used for targeted advertising. Breach notifications will be made as required under California law.
• Nevada: We do not currently sell personal information. Breach notifications will be made as required under Nevada law.

14.2 India (DPDP Act)

Breakout Learning designates its Data Protection Officer, Joshua Oster-Morris, as the Grievance Officer for India. Grievances will be acknowledged within seven (7) working days and addressed in accordance with the DPDP Act.

• In the event of a breach likely to cause significant harm, Breakout Learning will notify the Data Protection Board of India (DPBI) within seven (7) working days and inform affected Data Subjects where required.

14.3 Canada (PIPEDA)

Where Breakout Learning processes Personal Data of individuals in Canada, it complies with PIPEDA. Breach notifications will be made to the Office of the Privacy Commissioner of Canada and affected individuals where a breach poses a real risk of significant harm, as required by law.

14.4 China (PIPL)

Where Breakout Learning processes Personal Data of individuals in mainland China, it complies with the Personal Information Protection Law (PIPL).

• Breach notifications will be made to the relevant Chinese authorities and affected individuals in accordance with PIPL requirements.

14.5 United Kingdom, European Economic Area, and Switzerland (UK GDPR, EU GDPR, nFADP)

Breakout Learning complies with the UK GDPR, EU GDPR, and Swiss Federal Act on Data Protection (nFADP).

• EU GDPR/UK GDPR: Where a Personal Data Breach is likely to result in a risk to the rights and freedoms of individuals, supervisory authorities will be notified within 72 hours of awareness. Affected individuals will be notified where required by law.
• Swiss nFADP: Where a breach is likely to result in a high risk to affected individuals, the Swiss Federal Data Protection and Information Commissioner (FDPIC) will be notified without delay, and affected individuals will be informed where necessary.

14.6 Data Privacy Framework Participation

Breakout Learning participates in and has certified its compliance with:

• The EU–U.S. Data Privacy Framework (EU–U.S. DPF)
• The UK Extension to the EU–U.S. DPF
• The Swiss–U.S. Data Privacy Framework (Swiss–U.S. DPF)

Our certification covers personal data other than human resources data, including data relating to students, faculty, institutional and corporate clients, and visitors. When we transfer personal data to third parties, we remain liable under the DPF Principles if those parties process such data inconsistently with the Principles.

14.7 Texas (TX-RAMP Level 1)

Breakout Learning aligns with the Texas Risk and Authorization Management Program (TX-RAMP) Level 1 requirements for handling low-impact data.

15. Governing Law and Dispute Resolution

This DPA is governed by the laws of the State of Texas and disputes shall be resolved per the Sales Agreement.

16. Indemnity

The Purchaser shall indemnify Breakout Learning from claims, losses, or damages arising from the Purchaser’s failure to comply with Data Protection Laws or its instructions under this DPA.