This Data Processing Agreement ("DPA") is entered into by and between Breakout Learning Inc ("Processor") and the Purchaser ("Controller") as part of the Sales Agreement. This DPA applies where Breakout Learning processes personal data on behalf of the Purchaser in relation to the products and services provided under the Sales Agreement. The provisions of this DPA are designed to ensure compliance with applicable data protection laws, including the General Data Protection Regulation (EU GDPR), the UK General Data Protection Regulation (UK GDPR) and the California Consumer Privacy Act (CCPA).

1. Definitions

• “Personal Data” refers to any information relating to an identified or identifiable natural person, as defined under applicable data protection laws.
• “Processing” means any operation performed on Personal Data, such as collection, storage, retrieval, use, disclosure, and deletion.
• “Data Subject” refers to the individual to whom the Personal Data relates.
• “Controller” refers to the Purchaser, who determines the purposes and means of processing the Personal Data.
• “Processor” refers to Breakout Learning, who processes Personal Data on behalf of the Controller.
• “Subprocessor” refers to any third party engaged by Breakout Learning to process Personal Data.
• “Affiliate” means any entity that directly or indirectly controls is controlled by, or is under common control with a party, where control means the direct or indirect ownership of more than fifty percent (50%) of the equity or voting rights of such entity.
• “Data Protection Laws” means any applicable laws and regulations in any relevant jurisdiction relating to the use or processing of Personal Data, including the EU GDPR, the UK GDPR, the California Consumer Privacy Act (“CCPA”), and the Swiss Federal Act on Data Protection.

2. Purpose of Data Processing

Breakout Learning will process Personal Data solely for the purpose of providing the products and/or services described in the Sales Agreement and for any additional purposes agreed upon in writing by the Purchaser. This processing will comply with the Purchaser's documented instructions and applicable Data Protection Laws.

3. Data Protection Impact Assessments (DPIA)

A Data Protection Impact Assessment (“DPIA”) is required when processing Personal Data that may result in high risks to the rights and freedoms of individuals.

Breakout Learning will assist the Purchaser in conducting a DPIA, where applicable, to assess the impact of any new processing activities or when implementing new technologies that may affect Personal Data.

If Breakout Learning identifies any high risks during a DPIA that cannot be mitigated, it will notify the Purchaser so that the Purchaser can decide on the next steps, including whether to continue processing the Personal Data.

4. Data Breach Notification

In the event of a Personal Data Breach, Breakout Learning will notify the Purchaser without undue delay, and no later than twenty-four (24) hours after becoming aware of the breach. The notification will include all relevant information to allow the Purchaser to fulfill any legal obligations, including notifying the relevant supervisory authority and Data Subjects if required.

Breakout Learning will cooperate with the Purchaser to manage the breach and will assist in investigating and mitigating any potential damage caused by the breach.

If Breakout Learning is required by law to report the breach to any regulatory body or Data Subject directly, it will do so promptly and assist the Purchaser in fulfilling their obligations.

In the event the breach affects individuals located in India and may result in significant harm, Breakout Learning will also notify the Data Protection Board of India (DPBI) and affected individuals, as required under the Digital Personal Data Protection Act, 2023 (DPDP Act).

5. Data Processing Instructions

Breakout Learning will only process Personal Data in accordance with the Purchaser’s documented instructions unless required to do otherwise by law. In such cases, Breakout Learning shall inform the Purchaser of the legal requirement before processing unless prohibited by law.

6. Subprocessors

• Breakout Learning may engage subprocessors to assist in the processing of Personal Data. A list of subprocessors will be maintained and provided to the Purchaser upon request.
• Breakout Learning will ensure that any subprocessor is bound by data protection obligations consistent with those imposed on Breakout Learning under this DPA.
• The Purchaser grants general authorization for the engagement of subprocessors and will be notified in advance of any changes or additions to the list of subprocessors. The Purchaser may object to the use of a new subprocessor based on reasonable grounds related to data protection within 30 days of being notified. If the Purchaser objects, Breakout Learning will either not engage the subprocessor or provide an alternative solution.

7. Subprocessor Transparency

• Breakout Learning will provide at least 30 days prior notice to Purchasers before authorizing any new subprocessors to process Personal Data.
• The Purchaser will have a window of 30 days to object to any new subprocessor based on reasonable data protection concerns.
• Breakout Learning will provide a subscription form or settings option for the Purchaser to receive notifications of sub-processor changes.

8. Data Security

Breakout Learning will implement appropriate technical and organizational measures to ensure a level of security appropriate to the risks associated with the processing of Personal Data, including encryption, pseudonymization, and regular audits. Breakout Learning’s security measures include, but are not limited to:

• Encryption of Personal Data in transit and at rest.
• Regular data backups and testing of recovery procedures.
• Access controls to ensure that only authorized personnel have access to Personal Data.
• Monitoring of security logs and anomaly detection.

Breakout Learning has undergone SOC 2 Type 2 audits, which include the Security and Processing Integrity Trust Service Criteria.

9. Transfers of Personal Data

Breakout Learning may transfer Personal Data outside of the European Economic Area (EEA) or the United Kingdom (UK), subject to the requirements of the GDPR and UK GDPR.

Ex-EEA and Ex-UK Transfers: In the event of data transfers outside the EEA or UK, the parties agree that these transfers will be governed by the EU Standard Contractual Clauses (SCCs) and the UK Standard Contractual Clauses (UK SCCs).

Breakout Learning shall ensure that appropriate safeguards are in place to protect Personal Data during such transfers.

10. Data Subject Rights

Breakout Learning will assist the Purchaser in responding to requests from Data Subjects exercising their rights under Data Protection Laws, including the rights of access, rectification, erasure, restriction, portability, and objection to processing.

The Purchaser is responsible for ensuring that data subject requests are handled appropriately and within the required timelines.

Breakout Learning will cooperate with the Purchaser to facilitate compliance with Data Subject requests, including providing necessary technical and organizational measures.

11. Liability

Each party shall be liable for any breach of this DPA caused by its failure to comply with applicable data protection laws.

Breakout Learning’s liability for breaches related to the processing of Personal Data will be limited to the amount paid by the Purchaser for the services related to the processing of Personal Data.

12. Confidentiality

Breakout Learning will ensure that any person authorized to process Personal Data has agreed to protect Personal Data in accordance with Breakout Learning’s confidentiality obligations and applicable Data Protection Laws.

13. Security of Personal Data

Breakout Learning will implement and maintain security measures designed to ensure the confidentiality, integrity, availability, and resilience of processing systems and services. These measures will be regularly tested and evaluated for effectiveness.

14. Audits and Inspections

The Purchaser may request audits or inspections to verify Breakout Learning’s compliance with the terms of this DPA. Breakout Learning will cooperate with such audits, which are reasonable and conducted during normal business hours.

The Purchaser may request that Breakout Learning provide certifications or reports demonstrating compliance with applicable data security standards.

Breakout Learning’s Trust Page has detailed documentation of certifications and compliance efforts https://trust.breakoutlearning.com/.

15. Data Retention and Deletion

Breakout Learning will retain Personal Data only for as long as necessary to fulfill the purposes outlined in the Sales Agreement or required by applicable law.

Upon termination of the Sales Agreement, Breakout Learning will delete or return all Personal Data to the Purchaser, unless retention is required by law.

16. CCPA Compliance

Breakout Learning agrees that, except for Company Account Data and Company Usage Data, it acts as a service provider under the CCPA with respect to Personal Data provided by the Purchaser. Breakout Learning will not sell, retain, use, or disclose Personal Data for purposes other than those required to provide the Services to the Purchaser.

17. Governing Law and Dispute Resolution

This DPA shall be governed by the laws of the State of Texas, and any disputes arising out of this DPA shall be resolved in accordance with the dispute resolution provisions in the Sales Agreement.

18. Types of Personal Data and Processing Activities

The following Personal Data (PII) may be processed by Breakout Learning as part of the services provided under this DPA:

Types of Personal Data Processed:

• The primary PII processed: Email Address.
• Associated Identifiers: Email addresses may be associated with other identifiers, including, but not limited to, names, usernames, device identifiers, and account-related data, as necessary to provide services.

Purpose of Processing:

• To provide and manage access to the Breakout Learning platform and services.
• To send communications related to the services, such as account verification, notifications, and customer support.
• To monitor, maintain, and improve the performance and security of the platform.
• To comply with applicable legal, regulatory, and contractual obligations.

• Collection: Email addresses, along with any associated identifiers, are collected during registration or as part of the user interaction with the platform.
• Storage: Email addresses and associated identifiers are stored securely in compliance with industry standards, including encryption and access control measures.
• Use: The collected data is used to provide the services, communicate with users, and enhance platform performance and security.
• Sharing: Email addresses and associated identifiers may be shared with authorized subprocessors for the sole purpose of fulfilling service requirements.
• Retention: Email addresses and associated identifiers will be retained as long as necessary to provide the services or as required by law or contractual obligations.
• Deletion: Upon termination of the services or upon request, email addresses and associated identifiers will be deleted unless further retention is required by law or regulatory obligations.

19. Indemnity

The Purchaser shall indemnify Breakout Learning from any claims, losses, or damages arising from the Purchaser’s failure to comply with Data Protection Laws or the instructions provided to Breakout Learning under this DPA.

20. FERPA Compliance

Where Breakout Learning processes education records on behalf of educational institutions in the United States, it does so in accordance with the Family Educational Rights and Privacy Act (FERPA), 20 U.S.C. § 1232g, and its implementing regulations. Breakout Learning functions as a “school official” with a legitimate educational interest, under the direct control of the educational institution, and uses such education records only to provide the Services and for no other purpose unless otherwise permitted by FERPA or authorized in writing by the institution.

21. Grievance Officer (India)

In accordance with the Digital Personal Data Protection Act, 2023 (DPDP Act), Breakout Learning designates the following Grievance Officer for individuals and entities located in India:

• Name: Joshua Oster-Morris
• Title: Data Protection Officer and Grievance Officer (India)
• Email: support@breakoutlearning.com
• Mailing Address: Breakout Learning, Inc., 3309 Elm St #110-365, Dallas, TX 75226

Breakout Learning will acknowledge grievances submitted under the DPDP Act within seven (7) working days and will respond to such grievances in accordance with applicable Indian data protection laws.