This Data Processing Agreement ("DPA") is entered into by and between Breakout Learning Inc. ("Processor") and the Purchaser ("Controller") as part of the Sales Agreement. This DPA applies where Breakout Learning processes personal data on behalf of the Purchaser in relation to the products and services provided under the Sales Agreement. The provisions of this DPA are designed to ensure compliance with applicable data protection laws, including the General Data Protection Regulation (EU GDPR), the UK General Data Protection Regulation (UK GDPR), the California Consumer Privacy Act (CCPA), and other relevant laws.

1. Definitions

• “Personal Data”: any information relating to an identified or identifiable natural person, as defined under applicable data protection laws.
• “Processing”: any operation performed on Personal Data, such as collection, storage, retrieval, use, disclosure, and deletion.
• “Data Subject”: the individual to whom the Personal Data relates.
• “Controller”: the Purchaser, who determines the purposes and means of processing the Personal Data.
• “Processor”: Breakout Learning, who processes Personal Data on behalf of the Controller.
• “Subprocessor”: any third party engaged by Breakout Learning to process Personal Data.
• “Affiliate”: any entity that directly or indirectly controls, is controlled by, or is under common control with a party, where control means ownership of more than fifty percent (50%) of the equity or voting rights.
• “Data Protection Laws”: any applicable laws and regulations in relevant jurisdictions relating to the use or processing of Personal Data, including the EU General Data Protection Regulation (EU GDPR), the UK General Data Protection Regulation (UK GDPR), the California Consumer Privacy Act (CCPA), the Swiss Federal Act on Data Protection (nFADP), the Family Educational Rights and Privacy Act (FERPA), India’s Digital Personal Data Protection Act, 2023 (DPDP Act), the Australian Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs), and South Africa’s Protection of Personal Information Act, 2013 (POPIA).

2. Purpose of Data Processing

Breakout Learning will process Personal Data solely for the purpose of providing the products and services described in the Sales Agreement, in accordance with the Controller’s documented instructions and applicable Data Protection Laws.

3. Data Protection Impact Assessments (DPIA)

Breakout Learning will assist the Purchaser in conducting DPIAs where required, including assessing high-risk processing or new technologies. If risks cannot be mitigated, Breakout Learning will notify the Purchaser so they may determine next steps.

4. Data Processing Instructions

Breakout Learning will process Personal Data only in accordance with the Purchaser’s documented instructions, unless otherwise required by law.

5. Subprocessors

• Breakout Learning may engage subprocessors to support delivery of the Services.
• A current list of authorized subprocessors is available upon request and will be kept up to date on Breakout Learning’s Trust Page.
• Breakout Learning will provide the Purchaser with at least 30 days’ advance notice before authorizing any new subprocessor. The Purchaser may object on reasonable data protection grounds within this period.
• Breakout Learning will ensure subprocessors are bound by data protection obligations no less protective than those in this DPA.

6. Security Measures

Breakout Learning will implement appropriate technical and organizational measures to ensure a level of security appropriate to risk, including but not limited to:

• Encryption of Personal Data in transit and at rest.
• Access controls to limit access to authorized personnel.
• Regular backups and tested recovery procedures.
• Monitoring and anomaly detection.
• Independent SOC 2 Type 2 audits covering security and processing integrity.

7. International Transfers of Personal Data

• Personal Data is hosted in the United States on Google Cloud Platform (GCP).
• Transfers from the EEA and UK are governed by the EU Standard Contractual Clauses (SCCs) and the UK Addendum or the UK International Data Transfer Agreement (IDTA), as applicable.
• Breakout Learning will ensure appropriate safeguards for all international transfers.

7.1 Transfers Subject to Non-GDPR Data Protection Laws

Where Personal Data is transferred or made available outside the jurisdiction of origin and is subject to Data Protection Laws other than the EU GDPR or UK GDPR (including, without limitation, the Australian Privacy Principles and South Africa’s Protection of Personal Information Act), Breakout Learning implements reasonable and appropriate safeguards to protect such Personal Data. These safeguards include contractual obligations requiring recipients and subprocessors to provide a level of protection that is no less protective than that required under this DPA, together with appropriate technical and organizational measures.

8. Data Subject Rights

Breakout Learning will assist the Purchaser in responding to Data Subject rights requests under applicable law (access, rectification, erasure, restriction, portability, objection, withdrawal of consent).

9. Liability

Each party shall be liable for any breach of this DPA caused by its failure to comply with applicable data protection laws. Breakout Learning’s liability for breaches related to the processing of Personal Data is limited to the amount paid by the Purchaser for the related services.

10. Confidentiality

Breakout Learning will ensure all personnel authorized to process Personal Data are bound by confidentiality obligations consistent with this DPA and Data Protection Laws.

11. Audits and Inspections

The Purchaser may request audits or certifications to verify compliance. Breakout Learning will cooperate with reasonable audits conducted during normal business hours. Documentation is available via Breakout Learning’s Trust Page (https://trust.breakoutlearning.com).

12. Data Retention and Deletion

Breakout Learning will retain Personal Data only as long as necessary for the purposes outlined in the Sales Agreement or as required by law. Upon termination, Personal Data will be deleted or returned unless further retention is legally required.

13. Types of Personal Data and Processing Activities

Categories of Personal Data Processed:

• Email addresses and associated identifiers (name, username, device ID).
• Platform usage data (login/logout, time spent, technical logs).
• Transcripts of discussions (text only).
• Educational records, where provided by institutional customers under FERPA.

Processing Activities:

• Collection during registration and platform use.
• Storage in encrypted databases hosted on GCP (USA).
• Use for account management, service delivery, customer support, and platform analytics.
• Sharing only with authorized subprocessors as necessary.
• Retention/Deletion aligned with Section 12.

14. Regional and Sector-Specific Compliance

14.1 United States (FERPA, CCPA/CPRA, Nevada)

Where Breakout Learning processes Personal Data subject to United States federal or state privacy laws, including the Family Educational Rights and Privacy Act (FERPA), the California Consumer Privacy Act and California Privacy Rights Act (CCPA/CPRA), and applicable Nevada privacy laws, it does so in accordance with such laws, as applicable.

Where Breakout Learning processes education records subject to FERPA, it acts as a “school official” with a legitimate educational interest and processes such records only for authorized educational purposes and in accordance with the applicable agreement with the educational institution.

14.2 India (Digital Personal Data Protection Act, 2023)

Where Breakout Learning processes Personal Data relating to individuals in India, it does so in accordance with the Digital Personal Data Protection Act, 2023 (DPDP Act), as applicable.

Breakout Learning designates its Data Protection Officer as its Grievance Officer for India and handles grievances and breach notifications in accordance with the DPDP Act.

14.3 Canada (Personal Information Protection and Electronic Documents Act)

Where Breakout Learning processes Personal Data relating to individuals in Canada, it does so in accordance with the Personal Information Protection and Electronic Documents Act (PIPEDA), as applicable.

Breakout Learning implements appropriate safeguards and notification procedures where a breach poses a real risk of significant harm, as required under PIPEDA.

14.4 China (Personal Information Protection Law)

Where Breakout Learning processes Personal Data relating to individuals in mainland China, it does so in accordance with the Personal Information Protection Law of the People’s Republic of China (PIPL), as applicable.

Where required, cross-border transfers are conducted using lawful transfer mechanisms recognized under PIPL, and appropriate technical and organizational safeguards are applied.

14.5 United Kingdom, European Economic Area, and Switzerland

Where Breakout Learning processes Personal Data subject to the UK General Data Protection Regulation (UK GDPR), the EU General Data Protection Regulation (EU GDPR), or the Swiss Federal Act on Data Protection (nFADP), it does so in accordance with such laws, as applicable.

Breakout Learning applies appropriate safeguards for international transfers, including the EU Standard Contractual Clauses and the UK International Data Transfer Agreement, where required.

14.6 Australia (Privacy Act 1988 and Australian Privacy Principles)

Where Breakout Learning processes Personal Data relating to individuals in Australia, it does so in accordance with the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs), as applicable.

Where Personal Data is transferred or made available outside Australia, Breakout Learning takes reasonable steps to ensure that recipients and subprocessors are subject to privacy and security obligations that provide a level of protection consistent with the requirements of the APPs, including through contractual obligations and appropriate technical and organizational measures.

14.7 South Africa (Protection of Personal Information Act, 2013)

Where Breakout Learning processes Personal Data relating to individuals in South Africa, it does so in accordance with the Protection of Personal Information Act, 2013 (POPIA), as applicable.

Where Personal Data is transferred or made available outside South Africa, Breakout Learning applies appropriate safeguards intended to ensure that such Personal Data is afforded a level of protection consistent with the requirements of POPIA, including through contractual obligations and appropriate technical and organizational measures.

14.8 Data Privacy Framework Participation

Breakout Learning participates in and has certified its compliance with:

• The EU–U.S. Data Privacy Framework (EU–U.S. DPF)
• The UK Extension to the EU–U.S. Data Privacy Framework
• The Swiss–U.S. Data Privacy Framework (Swiss–U.S. DPF)

Our certification covers personal data other than human resources data, including data relating to students, faculty, institutional and corporate clients, and visitors. When we transfer personal data to third parties, we remain liable under the DPF Principles if those parties process such data inconsistently with the Principles.

14.9 Texas (TX-RAMP Level 1)

Breakout Learning aligns with the Texas Risk and Authorization Management Program (TX-RAMP) Level 1 requirements for handling low-impact data, as applicable.

15. Governing Law and Dispute Resolution

This DPA is governed by the laws of the State of Texas and disputes shall be resolved per the Sales Agreement.

16. Indemnity

The Purchaser shall indemnify Breakout Learning from claims, losses, or damages arising from the Purchaser’s failure to comply with Data Protection Laws or its instructions under this DPA.

Archived Versions

• Current version
• September 29, 2025